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The ideas and opinions expressed in this 
brief are those of the presenter and not 
necessarily those of Zurich Insurance 
Company, Ltd., it affiliates, or 
subsidiaries. 


What is a threat? Z) 


Three required conditions ZURICH 
A cyber threat is the intersection of three conditions: 


Motive 
e Expresses both the desire of the actor and their commitment 


(e.g. script kiddies, insiders, criminals, and nation states have 
different levels of commitment to their ends). 


Capability 
e Atool, tactic, technique, or procedures leveraged to exploit th 
weakness of a vulnerability 


Vulnerability 


* A physical, virtual, or social weakness which, if exploited, 
realizes a cyber risk 


Threat Tiers Zi 


Aligning capability to threats ZURICH 


Achieve ideological 
Achieve high gain financial outcomes. 
outcomes (actor profit or losses Willing to employ 
for victim) destructive capability to 
Cost-conscious commitment to achieve outcomes 
causes Fully committed to 
causes(time\resources). 


e Smash-and-Grab gains, 
prestige, individual PII (likely 
for re-selling or simple 
harassment). 

* Minimal commitment to 
causes 


Motive 


* Publically available Publically available with 
Capability e Crude or Unprofessional modification 
Application Semi-professional application 


Specialized capability 
Professional application 


Publically known 
Purchased 
Self-Discovered 


Publically known 
Purchased from Researchers 


Vulnerability Publically known 


Understanding Threats: A Maze of 
Data 


* What does the threat data mean to my 
environment? 
e How do | prevent the next incident? 


Analytic Platform 


ea 


ZURICH 


Understanding Threats Exposure: e 
3 Sources — 


Adversaries tend to 
leverage the same set of 
vulnerabilities, over and 

over and over. 
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Functional (Technical) 
Analysis 


Strategic Analysis 


Environment 
Measurement 


Example: Incident to Root Cause in eo 
Analytics Platform ZURICH 


Tier 1 Security Affected Host 


m Incident 


Matodan Code 64125324 


Triggers/ 
Alerts 


A threat deployed a 
capability against this 
machine — what 
vulnerability did it 
leverage? Q Palantir 
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Vulnerability Posture Analysis | 
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Qualys Vulnerability Scan Events Qualys CVE Data 
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E Java and Adobe... 
Go Figure... 


Q Palantir 


Where are hosts like this one... 
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Next Steps - Where I’ve Seen Success Z 
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Find other machines with same vulnerability profile to hunt for security 

incidents (predictive prevention) 

Drive vulnerability closure and mitigation: 

e Model costs and communicate with stakeholders — “these incidents cost you X in 
fixed costs and Y in downtime - you're not patching because....?” 

* Rapidly model geolocate hotspots around the globe where the threat-motive- 
vulnerability intersection is high 

"Link" threat reports to your environment (e.g. iSight or iDefense report 

references a CVE with exploit - map this new intelligence right to your asset 

data). 

Create demand for "better" scanning - authentication, water marking, 

policy compliance scanning (for indicators of compromise!) 

Advanced entry point analysis — integrate data from Web Application 

Scanning 


The Bottom Line | 
ZURICH 
Linking high-fidelity Qualys asset and 
vulnerability data into your analytics platform (or 
even SIEM) allows analysts to focus collection and 


analysis to provide highly contextualized products 
to drive prevention and mitigation efforts. 


Questions? 


Contact Data Z) 
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Brian Olson 
Head of Cyber Threat Intelligence 
Zurich Insurance Group 


Brian.Olson@farmersinsurance.com 


